claude-flow-novice 2.15.2 → 2.15.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (533) hide show
  1. package/.claude/cfn-extras/skills/advanced-features/cfn-agent-swap/recommend-swap.sh +59 -59
  2. package/.claude/cfn-extras/skills/analytics/cfn-improvement-recommender/recommend-improvements.sh +91 -91
  3. package/.claude/cfn-extras/skills/analytics/cfn-pattern-extraction/extract-patterns.sh +79 -79
  4. package/.claude/cfn-extras/skills/analytics/cfn-retrospective-report/generate-report.sh +100 -100
  5. package/.claude/cfn-extras/skills/analytics/cfn-telemetry/start-telemetry.sh +110 -110
  6. package/.claude/cfn-extras/skills/deprecated/cfn-ace-system/add-bullet.sh +145 -145
  7. package/.claude/cfn-extras/skills/deprecated/cfn-ace-system/log-merge.sh +67 -67
  8. package/.claude/cfn-extras/skills/deprecated/cfn-ace-system/monitor-injection-performance.sh +137 -137
  9. package/.claude/cfn-extras/skills/deprecated/cfn-ace-system/optimize-injection-pipeline.sh +168 -168
  10. package/.claude/cfn-extras/skills/deprecated/cfn-ace-system/query-reflections.sh +35 -35
  11. package/.claude/cfn-extras/skills/deprecated/cfn-ace-system/store-reflection.sh +45 -45
  12. package/.claude/cfn-extras/skills/deprecated/cfn-ace-system/track-ab-test.sh +41 -41
  13. package/.claude/cfn-extras/skills/deprecated/cfn-ace-system/update-reflection.sh +41 -41
  14. package/.claude/cfn-extras/skills/deprecated/cfn-cli-setup/validate-cli-environment.sh +191 -191
  15. package/.claude/cfn-extras/skills/marketing/cfn-marketing-ad-campaigns/operations/create-campaign.sh +231 -231
  16. package/.claude/cfn-extras/skills/marketing/cfn-marketing-ad-campaigns/operations/get-campaign-performance.sh +190 -190
  17. package/.claude/cfn-extras/skills/marketing/cfn-marketing-ad-campaigns/operations/pause-campaign.sh +142 -142
  18. package/.claude/cfn-extras/skills/marketing/cfn-marketing-ad-campaigns/operations/set-budget.sh +181 -181
  19. package/.claude/cfn-extras/skills/marketing/cfn-marketing-ad-campaigns/operations/update-bid-strategy.sh +133 -133
  20. package/.claude/cfn-extras/skills/marketing/cfn-marketing-chatbot-conversations/operations/get-conversation-history.sh +121 -121
  21. package/.claude/cfn-extras/skills/marketing/cfn-marketing-chatbot-conversations/operations/qualify-lead.sh +156 -156
  22. package/.claude/cfn-extras/skills/marketing/cfn-marketing-chatbot-conversations/operations/schedule-demo.sh +181 -181
  23. package/.claude/cfn-extras/skills/marketing/cfn-marketing-chatbot-conversations/operations/send-message.sh +137 -137
  24. package/.claude/cfn-extras/skills/marketing/cfn-marketing-chatbot-conversations/operations/transfer-to-human.sh +179 -179
  25. package/.claude/cfn-extras/skills/marketing/cfn-marketing-sms-campaigns/operations/create-campaign.sh +183 -183
  26. package/.claude/cfn-extras/skills/marketing/cfn-marketing-sms-campaigns/operations/get-delivery-status.sh +139 -139
  27. package/.claude/cfn-extras/skills/marketing/cfn-marketing-sms-campaigns/operations/opt-out.sh +150 -150
  28. package/.claude/cfn-extras/skills/marketing/cfn-marketing-sms-campaigns/operations/schedule-campaign.sh +187 -187
  29. package/.claude/cfn-extras/skills/marketing/cfn-marketing-sms-campaigns/operations/send-sms.sh +181 -181
  30. package/.claude/cfn-extras/skills/ui-portal/cfn-web-portal/test-web-portal-skill.sh +50 -50
  31. package/.claude/cfn-extras/skills/ui-portal/cfn-web-portal/validate-deployment.sh +84 -84
  32. package/.claude/cfn-extras/skills/utility/cfn-environment-sanitization/sanitize-environment.sh +243 -243
  33. package/.claude/commands/cfn-loop-cli.md +16 -2
  34. package/.claude/commands/switch-api.md +31 -10
  35. package/.claude/hooks/cfn-BACKUP_USAGE.md +243 -243
  36. package/.claude/hooks/cfn-invoke-security-validation.sh +69 -69
  37. package/.claude/hooks/cfn-lint-sql-injection.sh +61 -0
  38. package/.claude/hooks/cfn-post-edit-cfn-retrospective.sh +109 -78
  39. package/.claude/hooks/cfn-post-edit.config.json +44 -44
  40. package/.claude/hooks/cfn-pre-edit-security-warning.sh +40 -0
  41. package/.claude/skills/cfn-agent-spawning/spawn-agent.sh +22 -24
  42. package/.claude/skills/cfn-docker-agent-spawning/SKILL.md +28 -4
  43. package/.claude/skills/cfn-docker-agent-spawning/spawn-agent.sh +3 -1
  44. package/.claude/skills/cfn-docker-loop-orchestration/orchestrate.sh +224 -20
  45. package/.claude/skills/cfn-hybrid-routing/check-dependencies.sh +51 -51
  46. package/.claude/skills/cfn-loop-orchestration/helpers/gate-check.sh +550 -46
  47. package/.claude/skills/cfn-loop-orchestration/helpers/parse-test-results.sh +277 -0
  48. package/.claude/skills/cfn-loop-orchestration/orchestrate.sh +184 -23
  49. package/.claude/skills/cfn-loop-orchestration/security_utils.sh +24 -0
  50. package/.claude/skills/cfn-loop-orchestration/test-iteration-context-injection.sh +366 -0
  51. package/.claude/skills/cfn-loop-validation/orchestrate-cfn-loop.sh +252 -252
  52. package/.claude/skills/cfn-redis-coordination/CENTRALIZED_REDIS_WRAPPER.md +319 -0
  53. package/.claude/skills/cfn-redis-coordination/agent-log.sh +4 -0
  54. package/.claude/skills/cfn-redis-coordination/agent-log.sh.bak +124 -0
  55. package/.claude/skills/cfn-redis-coordination/agent-recovery.sh +74 -74
  56. package/.claude/skills/cfn-redis-coordination/collect-confidence-scores.sh +30 -0
  57. package/.claude/skills/cfn-redis-coordination/get-context.sh +145 -112
  58. package/.claude/skills/cfn-redis-coordination/get-success-criteria.sh +54 -0
  59. package/.claude/skills/cfn-redis-coordination/invoke-waiting-mode.sh +3 -0
  60. package/.claude/skills/cfn-redis-coordination/redis-cli-wrapper.sh +24 -3
  61. package/.claude/skills/cfn-redis-coordination/redis-functions.sh +33 -0
  62. package/.claude/skills/cfn-redis-coordination/report-completion.sh +24 -31
  63. package/.claude/skills/cfn-redis-coordination/store-context.sh +4 -0
  64. package/.claude/skills/cfn-redis-coordination/store-success-criteria.sh +85 -0
  65. package/.claude/skills/cfn-redis-coordination/update-all-scripts.sh +67 -0
  66. package/.claude/skills/cfn-sqlite-memory/ttl-cleanup.sh +17 -25
  67. package/.claude/skills/cfn-transparency-middleware/middleware-config.sh +28 -28
  68. package/.claude/skills/cfn-transparency-middleware/performance-benchmark.sh +78 -78
  69. package/.claude/skills/cfn-transparency-middleware/test-e2e.sh +15 -0
  70. package/.claude/skills/cfn-transparency-middleware/test-integration.sh +161 -161
  71. package/.claude/skills/cfn-transparency-middleware/test-transparency-skill.sh +367 -367
  72. package/.claude/skills/cfn-transparency-middleware/tests/input-validation.sh +107 -92
  73. package/.claude/skills/cfn-transparency-middleware/wrap-agent.sh +131 -131
  74. package/README.md +116 -475
  75. package/claude-assets/agents/cfn-dev-team/README.md +103 -0
  76. package/claude-assets/agents/cfn-dev-team/architecture/goal-planner.md +1 -1
  77. package/claude-assets/agents/cfn-dev-team/coordinators/cfn-frontend-coordinator.md +77 -15
  78. package/claude-assets/agents/cfn-dev-team/coordinators/cfn-v3-coordinator.md +355 -6
  79. package/claude-assets/agents/cfn-dev-team/coordinators/consensus-builder.md +82 -1
  80. package/claude-assets/agents/cfn-dev-team/coordinators/handoff-coordinator.md +82 -1
  81. package/claude-assets/agents/cfn-dev-team/coordinators/multi-sprint-coordinator.md +77 -15
  82. package/claude-assets/agents/cfn-dev-team/dev-ops/docker-specialist.md +99 -12
  83. package/claude-assets/agents/cfn-dev-team/dev-ops/github-commit-agent.md +1 -1
  84. package/claude-assets/agents/cfn-dev-team/dev-ops/kubernetes-specialist.md +97 -0
  85. package/claude-assets/agents/cfn-dev-team/dev-ops/monitoring-specialist.md +20 -1
  86. package/claude-assets/agents/cfn-dev-team/developers/api-gateway-specialist.md +97 -0
  87. package/claude-assets/agents/cfn-dev-team/developers/backend-developer.md +110 -13
  88. package/claude-assets/agents/cfn-dev-team/developers/data/data-engineer.md +106 -15
  89. package/claude-assets/agents/cfn-dev-team/developers/database/database-architect.md +115 -11
  90. package/claude-assets/agents/cfn-dev-team/developers/frontend/mobile-dev.md +94 -7
  91. package/claude-assets/agents/cfn-dev-team/developers/frontend/react-frontend-engineer.md +87 -9
  92. package/claude-assets/agents/cfn-dev-team/developers/frontend/typescript-specialist.md +85 -7
  93. package/claude-assets/agents/cfn-dev-team/developers/frontend/ui-designer.md +160 -28
  94. package/claude-assets/agents/cfn-dev-team/developers/graphql-specialist.md +101 -19
  95. package/claude-assets/agents/cfn-dev-team/developers/rust-developer.md +108 -14
  96. package/claude-assets/agents/cfn-dev-team/reviewers/{reviewer.md → code-reviewer.md} +95 -8
  97. package/claude-assets/agents/cfn-dev-team/reviewers/quality/code-quality-validator.md +107 -7
  98. package/claude-assets/agents/cfn-dev-team/reviewers/quality/perf-analyzer.md +98 -7
  99. package/claude-assets/agents/cfn-dev-team/reviewers/quality/performance-benchmarker.md +95 -7
  100. package/claude-assets/agents/cfn-dev-team/reviewers/quality/security-specialist.md +136 -9
  101. package/claude-assets/agents/cfn-dev-team/testers/api-testing-specialist.md +108 -1
  102. package/claude-assets/agents/cfn-dev-team/testers/chaos-engineering-specialist.md +107 -13
  103. package/claude-assets/agents/cfn-dev-team/testers/contract-tester.md +737 -0
  104. package/claude-assets/agents/cfn-dev-team/testers/e2e/playwright-tester.md +1 -1
  105. package/claude-assets/agents/cfn-dev-team/testers/integration-tester.md +828 -0
  106. package/claude-assets/agents/cfn-dev-team/testers/interaction-tester.md +106 -7
  107. package/claude-assets/agents/cfn-dev-team/testers/load-testing-specialist.md +77 -0
  108. package/claude-assets/agents/cfn-dev-team/testers/mutation-testing-specialist.md +684 -0
  109. package/claude-assets/agents/cfn-dev-team/testers/playwright-tester.md +110 -1
  110. package/claude-assets/agents/cfn-dev-team/testers/tester.md +94 -7
  111. package/claude-assets/agents/cfn-dev-team/utility/code-booster.md +1 -3
  112. package/claude-assets/agents/cfn-dev-team/utility/epic-creator.md +87 -13
  113. package/claude-assets/agents/cfn-dev-team/utility/memory-leak-specialist.md +103 -7
  114. package/claude-assets/agents/cfn-dev-team/utility/researcher.md +1 -3
  115. package/claude-assets/agents/cfn-dev-team/utility/z-ai-specialist.md +94 -7
  116. package/claude-assets/agents/docker-coordinators/cfn-docker-v3-coordinator.md +46 -0
  117. package/claude-assets/agents/project-only-agents/npm-package-specialist.md +1 -1
  118. package/claude-assets/cfn-extras/skills/advanced-features/cfn-agent-swap/recommend-swap.sh +59 -59
  119. package/claude-assets/cfn-extras/skills/analytics/cfn-improvement-recommender/recommend-improvements.sh +91 -91
  120. package/claude-assets/cfn-extras/skills/analytics/cfn-pattern-extraction/extract-patterns.sh +79 -79
  121. package/claude-assets/cfn-extras/skills/analytics/cfn-retrospective-report/generate-report.sh +100 -100
  122. package/claude-assets/cfn-extras/skills/analytics/cfn-telemetry/start-telemetry.sh +110 -110
  123. package/claude-assets/cfn-extras/skills/deprecated/cfn-ace-system/add-bullet.sh +145 -145
  124. package/claude-assets/cfn-extras/skills/deprecated/cfn-ace-system/log-merge.sh +67 -67
  125. package/claude-assets/cfn-extras/skills/deprecated/cfn-ace-system/monitor-injection-performance.sh +137 -137
  126. package/claude-assets/cfn-extras/skills/deprecated/cfn-ace-system/optimize-injection-pipeline.sh +168 -168
  127. package/claude-assets/cfn-extras/skills/deprecated/cfn-ace-system/query-reflections.sh +35 -35
  128. package/claude-assets/cfn-extras/skills/deprecated/cfn-ace-system/store-reflection.sh +45 -45
  129. package/claude-assets/cfn-extras/skills/deprecated/cfn-ace-system/track-ab-test.sh +41 -41
  130. package/claude-assets/cfn-extras/skills/deprecated/cfn-ace-system/update-reflection.sh +41 -41
  131. package/claude-assets/cfn-extras/skills/deprecated/cfn-cli-setup/validate-cli-environment.sh +191 -191
  132. package/claude-assets/cfn-extras/skills/marketing/cfn-marketing-ad-campaigns/operations/create-campaign.sh +231 -231
  133. package/claude-assets/cfn-extras/skills/marketing/cfn-marketing-ad-campaigns/operations/get-campaign-performance.sh +190 -190
  134. package/claude-assets/cfn-extras/skills/marketing/cfn-marketing-ad-campaigns/operations/pause-campaign.sh +142 -142
  135. package/claude-assets/cfn-extras/skills/marketing/cfn-marketing-ad-campaigns/operations/set-budget.sh +181 -181
  136. package/claude-assets/cfn-extras/skills/marketing/cfn-marketing-ad-campaigns/operations/update-bid-strategy.sh +133 -133
  137. package/claude-assets/cfn-extras/skills/marketing/cfn-marketing-chatbot-conversations/operations/get-conversation-history.sh +121 -121
  138. package/claude-assets/cfn-extras/skills/marketing/cfn-marketing-chatbot-conversations/operations/qualify-lead.sh +156 -156
  139. package/claude-assets/cfn-extras/skills/marketing/cfn-marketing-chatbot-conversations/operations/schedule-demo.sh +181 -181
  140. package/claude-assets/cfn-extras/skills/marketing/cfn-marketing-chatbot-conversations/operations/send-message.sh +137 -137
  141. package/claude-assets/cfn-extras/skills/marketing/cfn-marketing-chatbot-conversations/operations/transfer-to-human.sh +179 -179
  142. package/claude-assets/cfn-extras/skills/marketing/cfn-marketing-sms-campaigns/operations/create-campaign.sh +183 -183
  143. package/claude-assets/cfn-extras/skills/marketing/cfn-marketing-sms-campaigns/operations/get-delivery-status.sh +139 -139
  144. package/claude-assets/cfn-extras/skills/marketing/cfn-marketing-sms-campaigns/operations/opt-out.sh +150 -150
  145. package/claude-assets/cfn-extras/skills/marketing/cfn-marketing-sms-campaigns/operations/schedule-campaign.sh +187 -187
  146. package/claude-assets/cfn-extras/skills/marketing/cfn-marketing-sms-campaigns/operations/send-sms.sh +181 -181
  147. package/claude-assets/cfn-extras/skills/ui-portal/cfn-web-portal/test-web-portal-skill.sh +50 -50
  148. package/claude-assets/cfn-extras/skills/ui-portal/cfn-web-portal/validate-deployment.sh +84 -84
  149. package/claude-assets/cfn-extras/skills/utility/cfn-environment-sanitization/sanitize-environment.sh +243 -243
  150. package/claude-assets/commands/cfn-loop-cli.md +16 -2
  151. package/claude-assets/commands/switch-api.md +31 -10
  152. package/claude-assets/hooks/cfn-BACKUP_USAGE.md +243 -243
  153. package/claude-assets/hooks/cfn-invoke-security-validation.sh +69 -69
  154. package/claude-assets/hooks/cfn-lint-sql-injection.sh +61 -0
  155. package/claude-assets/hooks/cfn-post-edit-cfn-retrospective.sh +109 -78
  156. package/claude-assets/hooks/cfn-post-edit.config.json +44 -44
  157. package/claude-assets/hooks/cfn-post-execution/memory-cleanup.sh +19 -19
  158. package/claude-assets/hooks/cfn-pre-edit-security-warning.sh +40 -0
  159. package/claude-assets/hooks/cfn-pre-execution/memory-check.sh +19 -19
  160. package/claude-assets/hooks/detect-hardcoded-credentials.sh +212 -0
  161. package/claude-assets/skills/SKILL_TEMPLATE.md +774 -0
  162. package/claude-assets/skills/agent-lifecycle/execute-lifecycle-hook.sh +543 -572
  163. package/claude-assets/skills/agent-lifecycle/simple-audit.sh +57 -30
  164. package/claude-assets/skills/agent-template-generator/SKILL.md +440 -0
  165. package/claude-assets/skills/agent-template-generator/generate-agent.sh +405 -0
  166. package/claude-assets/skills/agent-validation-linter/SKILL.md +589 -0
  167. package/claude-assets/skills/agent-validation-linter/lint-agents.sh +271 -0
  168. package/claude-assets/skills/bootstrap/bash-fundamentals.md +786 -0
  169. package/claude-assets/skills/bootstrap/database-connection.md +464 -0
  170. package/claude-assets/skills/bootstrap/error-handling.md +580 -0
  171. package/claude-assets/skills/bootstrap/file-operations.md +699 -0
  172. package/claude-assets/skills/bootstrap/skill-loader.md +616 -0
  173. package/claude-assets/skills/bootstrap/sqlite-params.sh +287 -0
  174. package/claude-assets/skills/cfn-agent-spawning/spawn-agent.sh +22 -24
  175. package/claude-assets/skills/cfn-automatic-memory-persistence/persist-agent-output.sh +48 -48
  176. package/claude-assets/skills/cfn-automatic-memory-persistence/query-agent-history.sh +34 -34
  177. package/claude-assets/skills/cfn-automatic-memory-persistence/test-memory-persistence.sh +17 -16
  178. package/claude-assets/skills/cfn-deliverable-validation/confidence-calculator.sh +261 -261
  179. package/claude-assets/skills/cfn-deployment/SKILL.md +293 -0
  180. package/claude-assets/skills/cfn-deployment/execute.sh +21 -0
  181. package/claude-assets/skills/cfn-docker-agent-spawning/SKILL.md +28 -4
  182. package/claude-assets/skills/cfn-docker-agent-spawning/spawn-agent.sh +3 -1
  183. package/claude-assets/skills/cfn-docker-loop-orchestration/orchestrate.sh +224 -20
  184. package/claude-assets/skills/cfn-environment-sanitization/sanitize-environment.sh +38 -0
  185. package/claude-assets/skills/cfn-error-batching-strategy/lib/core-functions.sh +47 -47
  186. package/claude-assets/skills/cfn-expert-update/update-expert.sh +345 -345
  187. package/claude-assets/skills/cfn-file-operations/SKILL.md +290 -0
  188. package/claude-assets/skills/cfn-file-operations/execute.sh +129 -0
  189. package/claude-assets/skills/cfn-file-operations/lib/atomic-write.sh +294 -0
  190. package/claude-assets/skills/cfn-file-operations/lib/lock.sh +361 -0
  191. package/claude-assets/skills/cfn-file-operations/test.sh +369 -0
  192. package/claude-assets/skills/cfn-hybrid-routing/check-dependencies.sh +51 -51
  193. package/claude-assets/skills/cfn-intervention-detector/detect-intervention.sh +110 -110
  194. package/claude-assets/skills/cfn-intervention-orchestrator/execute-intervention.sh +58 -58
  195. package/claude-assets/skills/cfn-log-operations/SKILL.md +308 -0
  196. package/claude-assets/skills/cfn-log-operations/execute.sh +420 -0
  197. package/claude-assets/skills/cfn-log-operations/lib/rotate.sh +406 -0
  198. package/claude-assets/skills/cfn-log-operations/lib/search.sh +448 -0
  199. package/claude-assets/skills/cfn-log-operations/test.sh +394 -0
  200. package/claude-assets/skills/cfn-loop-orchestration/helpers/gate-check.sh +550 -46
  201. package/claude-assets/skills/cfn-loop-orchestration/helpers/parse-test-results.sh +277 -0
  202. package/claude-assets/skills/cfn-loop-orchestration/orchestrate.sh +184 -23
  203. package/claude-assets/skills/cfn-loop-orchestration/security_utils.sh +24 -0
  204. package/claude-assets/skills/cfn-loop-orchestration/test-iteration-context-injection.sh +366 -0
  205. package/claude-assets/skills/cfn-loop-validation/orchestrate-cfn-loop.sh +252 -252
  206. package/claude-assets/skills/cfn-loop2-output-processing/process-validator-output.sh +275 -275
  207. package/claude-assets/skills/cfn-memory-management/check-memory.sh +159 -159
  208. package/claude-assets/skills/cfn-memory-management/cleanup-memory.sh +196 -196
  209. package/claude-assets/skills/cfn-node-heap-sizer/task-mode-heap-limiter.sh +325 -325
  210. package/claude-assets/skills/cfn-parameterized-queries/SKILL.md +339 -0
  211. package/claude-assets/skills/cfn-playbook/query-playbook.sh +19 -15
  212. package/claude-assets/skills/cfn-playbook/update-playbook.sh +25 -14
  213. package/claude-assets/skills/cfn-playbook-auto-update/auto-update-playbook.sh +85 -85
  214. package/claude-assets/skills/cfn-process-instrumentation/instrument-process.sh +44 -0
  215. package/claude-assets/skills/cfn-promotion/SKILL.md +305 -0
  216. package/claude-assets/skills/cfn-redis-coordination/CENTRALIZED_REDIS_WRAPPER.md +319 -0
  217. package/claude-assets/skills/cfn-redis-coordination/agent-log.sh +4 -0
  218. package/claude-assets/skills/cfn-redis-coordination/agent-log.sh.bak +124 -0
  219. package/claude-assets/skills/cfn-redis-coordination/agent-recovery.sh +74 -74
  220. package/claude-assets/skills/cfn-redis-coordination/collect-confidence-scores.sh +30 -0
  221. package/claude-assets/skills/cfn-redis-coordination/get-context.sh +145 -112
  222. package/claude-assets/skills/cfn-redis-coordination/get-success-criteria.sh +54 -0
  223. package/claude-assets/skills/cfn-redis-coordination/invoke-waiting-mode.sh +3 -0
  224. package/claude-assets/skills/cfn-redis-coordination/redis-cli-wrapper.sh +24 -3
  225. package/claude-assets/skills/cfn-redis-coordination/redis-functions.sh +33 -0
  226. package/claude-assets/skills/cfn-redis-coordination/report-completion.sh +24 -31
  227. package/claude-assets/skills/cfn-redis-coordination/store-context.sh +4 -0
  228. package/claude-assets/skills/cfn-redis-coordination/store-success-criteria.sh +85 -0
  229. package/claude-assets/skills/cfn-redis-coordination/update-all-scripts.sh +67 -0
  230. package/claude-assets/skills/cfn-scope-simplifier/simplify-scope.sh +67 -67
  231. package/claude-assets/skills/cfn-skill-loader/SKILL.md +466 -0
  232. package/claude-assets/skills/cfn-skill-loader/execute.sh +344 -0
  233. package/claude-assets/skills/cfn-specialist-injection/recommend-specialist.sh +56 -56
  234. package/claude-assets/skills/cfn-sqlite-memory/ttl-cleanup.sh +17 -25
  235. package/claude-assets/skills/cfn-standardized-error-handling/capture-agent-error.sh +86 -86
  236. package/claude-assets/skills/cfn-standardized-error-handling/test-error-handling.sh +165 -165
  237. package/claude-assets/skills/cfn-task-audit/get-audit-data.sh +42 -21
  238. package/claude-assets/skills/cfn-task-audit/store-task-audit.sh +17 -10
  239. package/claude-assets/skills/cfn-task-config-init/initialize-config.sh +264 -264
  240. package/claude-assets/skills/cfn-task-decomposition/task-decomposer.sh +278 -278
  241. package/claude-assets/skills/cfn-test-runner/detect-regressions.sh +17 -14
  242. package/claude-assets/skills/cfn-test-runner/detect-regressions.sh.backup-1763392821 +55 -0
  243. package/claude-assets/skills/cfn-test-runner/store-benchmarks.sh +17 -19
  244. package/claude-assets/skills/cfn-transparency-middleware/middleware-config.sh +28 -28
  245. package/claude-assets/skills/cfn-transparency-middleware/performance-benchmark.sh +78 -78
  246. package/claude-assets/skills/cfn-transparency-middleware/test-e2e.sh +15 -0
  247. package/claude-assets/skills/cfn-transparency-middleware/test-integration.sh +161 -161
  248. package/claude-assets/skills/cfn-transparency-middleware/test-transparency-skill.sh +367 -367
  249. package/claude-assets/skills/cfn-transparency-middleware/tests/input-validation.sh +107 -92
  250. package/claude-assets/skills/cfn-transparency-middleware/wrap-agent.sh +131 -131
  251. package/claude-assets/skills/cfn-utilities/SKILL.md +237 -0
  252. package/claude-assets/skills/cfn-utilities/execute.sh +32 -0
  253. package/claude-assets/skills/cfn-utilities/lib/errors.sh +56 -0
  254. package/claude-assets/skills/cfn-utilities/lib/file-ops.sh +164 -0
  255. package/claude-assets/skills/cfn-utilities/lib/logging.sh +77 -0
  256. package/claude-assets/skills/cfn-utilities/lib/retry.sh +127 -0
  257. package/claude-assets/skills/cfn-utilities/test.sh +317 -0
  258. package/claude-assets/skills/docker-build/SKILL.md +96 -203
  259. package/claude-assets/skills/docker-build/build.sh +73 -73
  260. package/claude-assets/skills/integration/agent-handoff.sh +492 -0
  261. package/claude-assets/skills/integration/file-operations.sh +414 -0
  262. package/claude-assets/skills/json-validation/SKILL.md +431 -0
  263. package/claude-assets/skills/json-validation/test-validate-success-criteria.sh +421 -0
  264. package/claude-assets/skills/json-validation/validate-success-criteria.sh +197 -0
  265. package/claude-assets/skills/redis-coordination/validate-parameters.sh +34 -0
  266. package/claude-assets/skills/workflow-codification/APPROVAL_WORKFLOW.md +806 -0
  267. package/claude-assets/skills/workflow-codification/COST_TRACKING.md +637 -0
  268. package/claude-assets/skills/workflow-codification/DEPLOY_QUICK_REFERENCE.md +106 -0
  269. package/claude-assets/skills/workflow-codification/EDGE_CASE_TRACKING.md +404 -0
  270. package/claude-assets/skills/workflow-codification/PROPAGATE_UPDATE_QUICK_REFERENCE.md +366 -0
  271. package/claude-assets/skills/workflow-codification/README_PHASE4.md +457 -0
  272. package/claude-assets/skills/workflow-codification/SKILL.md +110 -0
  273. package/claude-assets/skills/workflow-codification/analyze-patterns.sh +899 -0
  274. package/claude-assets/skills/workflow-codification/approval-workflow.sh +514 -0
  275. package/claude-assets/skills/workflow-codification/deploy-approved-skill.sh +481 -0
  276. package/claude-assets/skills/workflow-codification/deploy-approved-skill.sh.backup-1763392820 +512 -0
  277. package/claude-assets/skills/workflow-codification/generate-skill-update.sh +525 -0
  278. package/claude-assets/skills/workflow-codification/lib/security-utils.sh +204 -0
  279. package/claude-assets/skills/workflow-codification/propagate-skill-update.sh +648 -0
  280. package/claude-assets/skills/workflow-codification/propagate-skill-update.sh.backup-1763392820 +664 -0
  281. package/claude-assets/skills/workflow-codification/review-skill.sh +643 -0
  282. package/claude-assets/skills/workflow-codification/templates/email-notification.txt +114 -0
  283. package/claude-assets/skills/workflow-codification/templates/slack-notification.md +85 -0
  284. package/claude-assets/skills/workflow-codification/test-integration.sh +296 -0
  285. package/claude-assets/skills/workflow-codification/test-metadata-update.sh +350 -0
  286. package/claude-assets/skills/workflow-codification/track-cost-savings.sh +486 -0
  287. package/claude-assets/skills/workflow-codification/track-cost-savings.sh.backup-1763392821 +445 -0
  288. package/claude-assets/skills/workflow-codification/track-edge-case.sh +290 -0
  289. package/claude-assets/skills/workflow-codification/workflow-codification.db +0 -0
  290. package/dist/ace/ace-curator.js +10 -2
  291. package/dist/ace/ace-curator.js.map +1 -1
  292. package/dist/ace/ace-generator.js +4 -0
  293. package/dist/ace/ace-generator.js.map +1 -1
  294. package/dist/ace/ace-reflector.js +1 -1
  295. package/dist/ace/ace-reflector.js.map +1 -1
  296. package/dist/ace/context-injection.js +24 -2
  297. package/dist/ace/context-injection.js.map +1 -1
  298. package/dist/agents/agent-loader.js +146 -165
  299. package/dist/agents/agent-loader.js.map +1 -1
  300. package/dist/agents/task-agent-integration.js +1 -1
  301. package/dist/agents/task-agent-integration.js.map +1 -1
  302. package/dist/api/health-endpoints.js +390 -0
  303. package/dist/api/health-endpoints.js.map +1 -0
  304. package/dist/cli/agent-executor.js +4 -1
  305. package/dist/cli/agent-executor.js.map +1 -1
  306. package/dist/cli/agent-prompt-builder.js +89 -1
  307. package/dist/cli/agent-prompt-builder.js.map +1 -1
  308. package/dist/cli/agent-spawn.js +130 -37
  309. package/dist/cli/agent-spawn.js.map +1 -1
  310. package/dist/cli/config-manager.js +91 -109
  311. package/dist/cli/config-manager.js.map +1 -1
  312. package/dist/cli/skill-cache-validator.js +412 -0
  313. package/dist/cli/skill-cache-validator.js.map +1 -0
  314. package/dist/cli/skill-cli.js +991 -0
  315. package/dist/cli/skill-cli.js.map +1 -0
  316. package/dist/cli/skill-execution-logger.js +284 -0
  317. package/dist/cli/skill-execution-logger.js.map +1 -0
  318. package/dist/cli/skill-loader.js +457 -0
  319. package/dist/cli/skill-loader.js.map +1 -0
  320. package/dist/coordination/event-bus.js +2 -2
  321. package/dist/coordination/event-bus.js.map +1 -1
  322. package/dist/coordination/fleet-manager.js +1 -1
  323. package/dist/coordination/fleet-manager.js.map +1 -1
  324. package/dist/coordination/index.js +23 -9
  325. package/dist/coordination/index.js.map +1 -1
  326. package/dist/coordination/types/fleet-manager.types.js.map +1 -1
  327. package/dist/db/migration-manager.js +483 -0
  328. package/dist/db/migration-manager.js.map +1 -0
  329. package/dist/db/skills-query.js +535 -0
  330. package/dist/db/skills-query.js.map +1 -0
  331. package/dist/integration/DatabaseHandoff.js +507 -0
  332. package/dist/integration/DatabaseHandoff.js.map +1 -0
  333. package/dist/integration/StandardAdapter.js +291 -0
  334. package/dist/integration/StandardAdapter.js.map +1 -0
  335. package/dist/jobs/edge-case-analyzer.js +367 -0
  336. package/dist/jobs/edge-case-analyzer.js.map +1 -0
  337. package/dist/jobs/promotion-sla-enforcer.js +288 -0
  338. package/dist/jobs/promotion-sla-enforcer.js.map +1 -0
  339. package/dist/lib/agent-output-parser.js +518 -0
  340. package/dist/lib/agent-output-parser.js.map +1 -0
  341. package/dist/lib/agent-output-validator.js +950 -0
  342. package/dist/lib/agent-output-validator.js.map +1 -0
  343. package/dist/lib/agent-workspace.js +281 -0
  344. package/dist/lib/agent-workspace.js.map +1 -0
  345. package/dist/lib/artifact-registry.js +443 -0
  346. package/dist/lib/artifact-registry.js.map +1 -0
  347. package/dist/lib/atomic-file-writer.js +377 -0
  348. package/dist/lib/atomic-file-writer.js.map +1 -0
  349. package/dist/lib/backup-manager.js +779 -0
  350. package/dist/lib/backup-manager.js.map +1 -0
  351. package/dist/lib/checkpoint-manager.js +837 -0
  352. package/dist/lib/checkpoint-manager.js.map +1 -0
  353. package/dist/lib/circuit-breaker.js +340 -0
  354. package/dist/lib/circuit-breaker.js.map +1 -0
  355. package/dist/lib/completion-signal-handler.js +243 -0
  356. package/dist/lib/completion-signal-handler.js.map +1 -0
  357. package/dist/lib/config-manager.js +312 -0
  358. package/dist/lib/config-manager.js.map +1 -0
  359. package/dist/lib/config-migrator.js +386 -0
  360. package/dist/lib/config-migrator.js.map +1 -0
  361. package/dist/lib/config-validator.js +687 -0
  362. package/dist/lib/config-validator.js.map +1 -0
  363. package/dist/lib/correlation-cache.js +311 -0
  364. package/dist/lib/correlation-cache.js.map +1 -0
  365. package/dist/lib/correlation.js +263 -0
  366. package/dist/lib/correlation.js.map +1 -0
  367. package/dist/lib/database-service/connection-pool-manager.js +520 -0
  368. package/dist/lib/database-service/connection-pool-manager.js.map +1 -0
  369. package/dist/lib/database-service/correlation.js +329 -0
  370. package/dist/lib/database-service/correlation.js.map +1 -0
  371. package/dist/lib/database-service/errors.js +120 -0
  372. package/dist/lib/database-service/errors.js.map +1 -0
  373. package/dist/lib/database-service/index.js +168 -0
  374. package/dist/lib/database-service/index.js.map +1 -0
  375. package/dist/lib/database-service/postgres-adapter.js +526 -0
  376. package/dist/lib/database-service/postgres-adapter.js.map +1 -0
  377. package/dist/lib/database-service/redis-adapter.js +360 -0
  378. package/dist/lib/database-service/redis-adapter.js.map +1 -0
  379. package/dist/lib/database-service/sqlite-adapter.js +544 -0
  380. package/dist/lib/database-service/sqlite-adapter.js.map +1 -0
  381. package/dist/lib/database-service/transaction-manager.js +773 -0
  382. package/dist/lib/database-service/transaction-manager.js.map +1 -0
  383. package/dist/lib/database-service/types.js +23 -0
  384. package/dist/lib/database-service/types.js.map +1 -0
  385. package/dist/lib/deadlock-resolver.js +292 -0
  386. package/dist/lib/deadlock-resolver.js.map +1 -0
  387. package/dist/lib/distributed-lock.js +451 -0
  388. package/dist/lib/distributed-lock.js.map +1 -0
  389. package/dist/lib/edge-case-deduplicator.js +227 -0
  390. package/dist/lib/edge-case-deduplicator.js.map +1 -0
  391. package/dist/lib/encryption-manager.js +322 -0
  392. package/dist/lib/encryption-manager.js.map +1 -0
  393. package/dist/lib/error-aggregator.js +234 -0
  394. package/dist/lib/error-aggregator.js.map +1 -0
  395. package/dist/lib/errors.js +287 -0
  396. package/dist/lib/errors.js.map +1 -0
  397. package/dist/lib/file-lock-manager.js +578 -0
  398. package/dist/lib/file-lock-manager.js.map +1 -0
  399. package/dist/lib/file-operations.js +367 -0
  400. package/dist/lib/file-operations.js.map +1 -0
  401. package/dist/lib/idempotent-write.js +237 -0
  402. package/dist/lib/idempotent-write.js.map +1 -0
  403. package/dist/lib/integration-schema-validator.js +522 -0
  404. package/dist/lib/integration-schema-validator.js.map +1 -0
  405. package/dist/lib/lock-health-monitor.js +298 -0
  406. package/dist/lib/lock-health-monitor.js.map +1 -0
  407. package/dist/lib/log-shipper.js +422 -0
  408. package/dist/lib/log-shipper.js.map +1 -0
  409. package/dist/lib/logging.js +146 -0
  410. package/dist/lib/logging.js.map +1 -0
  411. package/dist/lib/message-deduplicator.js +439 -0
  412. package/dist/lib/message-deduplicator.js.map +1 -0
  413. package/dist/lib/multi-system-query.js +604 -0
  414. package/dist/lib/multi-system-query.js.map +1 -0
  415. package/dist/lib/orphan-detector.js +332 -0
  416. package/dist/lib/orphan-detector.js.map +1 -0
  417. package/dist/lib/password-generator.js +166 -0
  418. package/dist/lib/password-generator.js.map +1 -0
  419. package/dist/lib/path-validator.js +429 -0
  420. package/dist/lib/path-validator.js.map +1 -0
  421. package/dist/lib/query-translator.js +905 -0
  422. package/dist/lib/query-translator.js.map +1 -0
  423. package/dist/lib/queue-recovery.js +469 -0
  424. package/dist/lib/queue-recovery.js.map +1 -0
  425. package/dist/lib/redis-queue-manager.js +512 -0
  426. package/dist/lib/redis-queue-manager.js.map +1 -0
  427. package/dist/lib/reflection-archiver.js +272 -0
  428. package/dist/lib/reflection-archiver.js.map +1 -0
  429. package/dist/lib/retry-manager.js +453 -0
  430. package/dist/lib/retry-manager.js.map +1 -0
  431. package/dist/lib/retry.js +262 -0
  432. package/dist/lib/retry.js.map +1 -0
  433. package/dist/lib/schema-transform.js +695 -0
  434. package/dist/lib/schema-transform.js.map +1 -0
  435. package/dist/lib/schema-validator.js +491 -0
  436. package/dist/lib/schema-validator.js.map +1 -0
  437. package/dist/lib/skill-cache.js +297 -0
  438. package/dist/lib/skill-cache.js.map +1 -0
  439. package/dist/lib/skill-content-manager.js +337 -0
  440. package/dist/lib/skill-content-manager.js.map +1 -0
  441. package/dist/lib/skill-frontmatter-parser.js +237 -0
  442. package/dist/lib/skill-frontmatter-parser.js.map +1 -0
  443. package/dist/lib/skill-git-integration.js +275 -0
  444. package/dist/lib/skill-git-integration.js.map +1 -0
  445. package/dist/lib/skill-markdown-validator.js +396 -0
  446. package/dist/lib/skill-markdown-validator.js.map +1 -0
  447. package/dist/lib/skill-output-parser.js +312 -0
  448. package/dist/lib/skill-output-parser.js.map +1 -0
  449. package/dist/lib/unified-query-api.js +467 -0
  450. package/dist/lib/unified-query-api.js.map +1 -0
  451. package/dist/middleware/auth-middleware.js +350 -0
  452. package/dist/middleware/auth-middleware.js.map +1 -0
  453. package/dist/middleware/schema-validation.js +347 -0
  454. package/dist/middleware/schema-validation.js.map +1 -0
  455. package/dist/providers/anthropic-provider.js +1 -1
  456. package/dist/providers/anthropic-provider.js.map +1 -1
  457. package/dist/providers/provider-factory.js +2 -2
  458. package/dist/providers/provider-factory.js.map +1 -1
  459. package/dist/services/edge-case-analyzer.js +321 -0
  460. package/dist/services/edge-case-analyzer.js.map +1 -0
  461. package/dist/services/edge-case-deduplicator.js +266 -0
  462. package/dist/services/edge-case-deduplicator.js.map +1 -0
  463. package/dist/services/edge-case-detector.js +337 -0
  464. package/dist/services/edge-case-detector.js.map +1 -0
  465. package/dist/services/edge-case-tracker.js +547 -0
  466. package/dist/services/edge-case-tracker.js.map +1 -0
  467. package/dist/services/health-check-system.js +586 -0
  468. package/dist/services/health-check-system.js.map +1 -0
  469. package/dist/services/metrics-logger.js +412 -0
  470. package/dist/services/metrics-logger.js.map +1 -0
  471. package/dist/services/patch-generator.js +378 -0
  472. package/dist/services/patch-generator.js.map +1 -0
  473. package/dist/services/patch-validator.js +337 -0
  474. package/dist/services/patch-validator.js.map +1 -0
  475. package/dist/services/performance-monitor.js +811 -0
  476. package/dist/services/performance-monitor.js.map +1 -0
  477. package/dist/services/promotion-pipeline.js +918 -0
  478. package/dist/services/promotion-pipeline.js.map +1 -0
  479. package/dist/services/promotion-validator.js +394 -0
  480. package/dist/services/promotion-validator.js.map +1 -0
  481. package/dist/services/reflection-logger.js +388 -0
  482. package/dist/services/reflection-logger.js.map +1 -0
  483. package/dist/services/skill-deployment.js +472 -0
  484. package/dist/services/skill-deployment.js.map +1 -0
  485. package/dist/services/skill-loader.js +427 -0
  486. package/dist/services/skill-loader.js.map +1 -0
  487. package/dist/services/skill-promotion.js +372 -0
  488. package/dist/services/skill-promotion.js.map +1 -0
  489. package/dist/services/skill-validator.js +454 -0
  490. package/dist/services/skill-validator.js.map +1 -0
  491. package/dist/services/skill-versioning.js +244 -0
  492. package/dist/services/skill-versioning.js.map +1 -0
  493. package/dist/services/workspace-supervisor.js +597 -0
  494. package/dist/services/workspace-supervisor.js.map +1 -0
  495. package/dist/types/agent-output.js +44 -0
  496. package/dist/types/agent-output.js.map +1 -0
  497. package/dist/types/config.js +28 -0
  498. package/dist/types/config.js.map +1 -0
  499. package/dist/types/edge-case.js +45 -0
  500. package/dist/types/edge-case.js.map +1 -0
  501. package/package.json +201 -176
  502. package/readme/README.md +19 -4
  503. package/scripts/artifact-cleanup.sh +392 -0
  504. package/scripts/backup-cleanup.sh +627 -0
  505. package/scripts/cleanup-workspaces.sh +412 -0
  506. package/scripts/cleanup-yaml-configs.sh +141 -0
  507. package/scripts/deploy-approved-skills.sh +263 -0
  508. package/scripts/deploy-production.sh +355 -355
  509. package/scripts/docker-playwright-fix.sh +311 -311
  510. package/scripts/docker-rebuild-all-agents.sh +127 -127
  511. package/scripts/health-check.sh +447 -0
  512. package/scripts/log-aggregator.sh +554 -0
  513. package/scripts/log-monitor.sh +629 -0
  514. package/scripts/manage-agent-workspaces.sh +434 -0
  515. package/scripts/memory-leak-prevention.sh +305 -305
  516. package/scripts/migrate-artifacts.sh +563 -0
  517. package/scripts/migrate-schema.sh +533 -0
  518. package/scripts/migrate-yaml-to-json.sh +465 -0
  519. package/scripts/promote-staged-skills.sh +423 -0
  520. package/scripts/run-marketing-tests.sh +42 -42
  521. package/scripts/update_paths.sh +46 -46
  522. package/scripts/verify-no-secrets.sh +88 -35
  523. package/.claude/cfn-extras/agents/deprecated-coordinators/adaptive-coordinator.md.backup +0 -161
  524. package/.claude/cfn-extras/agents/deprecated-coordinators/blocking-coordinator-example.md.backup +0 -728
  525. package/.claude/cfn-extras/agents/deprecated-coordinators/mesh-coordinator.md.backup +0 -131
  526. package/.claude/skills/cfn-agent-spawning/spawn-agent.sh.backup +0 -273
  527. package/.claude/skills/cfn-loop-orchestration/orchestrate.sh.backup +0 -949
  528. package/README.md.backup_before_replace +0 -781
  529. package/claude-assets/cfn-extras/agents/deprecated-coordinators/adaptive-coordinator.md.backup +0 -161
  530. package/claude-assets/cfn-extras/agents/deprecated-coordinators/blocking-coordinator-example.md.backup +0 -728
  531. package/claude-assets/cfn-extras/agents/deprecated-coordinators/mesh-coordinator.md.backup +0 -131
  532. package/claude-assets/skills/cfn-agent-spawning/spawn-agent.sh.backup +0 -273
  533. package/claude-assets/skills/cfn-loop-orchestration/orchestrate.sh.backup +0 -949
package/dist/middleware/auth-middleware.js ADDED
@@ -0,0 +1,350 @@
1
+ /**
2
+ * Authentication and Role-Based Access Control (RBAC) Middleware
3
+ *
4
+ * Implements JWT-based authentication and role-based access control for
5
+ * sensitive operations like skill promotion, approval, and deployment.
6
+ *
7
+ * Features:
8
+ * - JWT token validation and expiration checks
9
+ * - Role-based access control with granular permissions
10
+ * - Session-based authentication fallback
11
+ * - Audit logging for authorization failures
12
+ * - Per-operation permission validation
13
+ *
14
+ * Roles:
15
+ * - admin: Full access to all promotion operations
16
+ * - developer: Can initiate promotions, but not approve/deploy
17
+ * - readonly: Can view audit trails, but no promotion access
18
+ */ import { StandardError, ErrorCode } from '../lib/errors.js';
19
+ import { createLogger } from '../lib/logging.js';
20
+ import * as jwt from 'jsonwebtoken';
21
+ const logger = createLogger('auth-middleware');
22
+ /**
23
+ * User role enum
24
+ */ export var UserRole = /*#__PURE__*/ function(UserRole) {
25
+ UserRole["ADMIN"] = "admin";
26
+ UserRole["DEVELOPER"] = "developer";
27
+ UserRole["READONLY"] = "readonly";
28
+ return UserRole;
29
+ }({});
30
+ /**
31
+ * Promotion operation enum
32
+ */ export var PromotionOperation = /*#__PURE__*/ function(PromotionOperation) {
33
+ PromotionOperation["INITIATE"] = "initiate-promotion";
34
+ PromotionOperation["VALIDATE"] = "validate-skill";
35
+ PromotionOperation["TEST"] = "test-skill";
36
+ PromotionOperation["APPROVE"] = "approve-promotion";
37
+ PromotionOperation["DEPLOY"] = "deploy-to-production";
38
+ PromotionOperation["ROLLBACK"] = "rollback-deployment";
39
+ return PromotionOperation;
40
+ }({});
41
+ /**
42
+ * Permission mapping: role -> allowed operations
43
+ */ const ROLE_PERMISSIONS = {
44
+ ["admin"]: [
45
+ "initiate-promotion",
46
+ "validate-skill",
47
+ "test-skill",
48
+ "approve-promotion",
49
+ "deploy-to-production",
50
+ "rollback-deployment"
51
+ ],
52
+ ["developer"]: [
53
+ "initiate-promotion",
54
+ "validate-skill",
55
+ "test-skill"
56
+ ],
57
+ ["readonly"]: []
58
+ };
59
+ /**
60
+ * Authentication middleware for validating user identity
61
+ *
62
+ * SECURITY CRITICAL: JWT_SECRET must be configured via environment variable
63
+ * or explicitly provided. No default secrets are allowed in production.
64
+ */ export class AuthMiddleware {
65
+ jwtSecret;
66
+ tokenExpirationSeconds;
67
+ sessions;
68
+ // List of insecure default secrets that must be rejected (CVSS 9.8 vulnerability)
69
+ static INSECURE_SECRETS = [
70
+ 'dev-secret-key',
71
+ 'secret',
72
+ 'password',
73
+ 'test',
74
+ 'default',
75
+ '123456',
76
+ 'changeme'
77
+ ];
78
+ /**
79
+ * Create authentication middleware
80
+ *
81
+ * @param jwtSecret - JWT signing secret (REQUIRED). If not provided, will attempt
82
+ * to load from JWT_SECRET environment variable. Throws error if
83
+ * neither is available.
84
+ * @param tokenExpirationSeconds - Token expiration time in seconds (default: 3600)
85
+ * @throws StandardError with CONFIGURATION_ERROR if JWT_SECRET is not configured
86
+ * @throws StandardError with VALIDATION_FAILED if JWT_SECRET is empty, too short
87
+ * (<16 chars), or matches known insecure defaults
88
+ *
89
+ * @example
90
+ * // Explicit secret (for testing)
91
+ * const auth = new AuthMiddleware('strong-secret-key-at-least-16-chars');
92
+ *
93
+ * @example
94
+ * // From environment variable (production)
95
+ * process.env.JWT_SECRET = 'production-secret-at-least-16-chars';
96
+ * const auth = new AuthMiddleware();
97
+ */ constructor(jwtSecret, tokenExpirationSeconds = 3600){
98
+ // Attempt to resolve JWT secret from parameter or environment
99
+ const resolvedSecret = jwtSecret ?? process.env.JWT_SECRET;
100
+ // Fail fast if JWT_SECRET is not configured
101
+ if (!resolvedSecret) {
102
+ throw new StandardError(ErrorCode.CONFIGURATION_ERROR, 'JWT_SECRET is required but not configured. Please set the JWT_SECRET environment variable or provide it explicitly to the constructor.', {
103
+ hint: 'Set JWT_SECRET in your .env file or environment: export JWT_SECRET="your-secret-key"',
104
+ securityNote: 'Never use default secrets in production. Generate a strong random secret.'
105
+ });
106
+ }
107
+ // Trim and validate secret is not empty or whitespace
108
+ const trimmedSecret = resolvedSecret.trim();
109
+ if (trimmedSecret.length === 0) {
110
+ throw new StandardError(ErrorCode.VALIDATION_FAILED, 'JWT_SECRET cannot be empty or whitespace only.', {
111
+ hint: 'Provide a strong secret key of at least 16 characters'
112
+ });
113
+ }
114
+ // Validate minimum length (prevent weak secrets - CVSS 7.5)
115
+ if (trimmedSecret.length < 16) {
116
+ throw new StandardError(ErrorCode.VALIDATION_FAILED, 'JWT_SECRET must be at least 16 characters long for security.', {
117
+ providedLength: trimmedSecret.length,
118
+ requiredLength: 16,
119
+ hint: 'Use a strong random secret of at least 16 characters'
120
+ });
121
+ }
122
+ // Reject known insecure default secrets (CVSS 9.8 vulnerability)
123
+ // Only reject if secret exactly matches known insecure defaults
124
+ const normalizedSecret = trimmedSecret.toLowerCase().replace(/[_-]/g, '');
125
+ const isInsecure = AuthMiddleware.INSECURE_SECRETS.some((insecure)=>{
126
+ const normalizedInsecure = insecure.toLowerCase().replace(/[_-]/g, '');
127
+ // Only exact match - do not match if contains
128
+ return normalizedSecret === normalizedInsecure;
129
+ });
130
+ if (isInsecure) {
131
+ throw new StandardError(ErrorCode.VALIDATION_FAILED, 'Detected insecure default secret. Please use a strong, unique JWT_SECRET in production.', {
132
+ securityRisk: 'CVSS 9.8 - Default secrets allow authentication bypass and token forgery',
133
+ hint: 'Generate a secure random secret: openssl rand -base64 32'
134
+ });
135
+ }
136
+ this.jwtSecret = trimmedSecret;
137
+ this.tokenExpirationSeconds = tokenExpirationSeconds;
138
+ this.sessions = new Map();
139
+ logger.debug('AuthMiddleware initialized with secure JWT secret');
140
+ }
141
+ /**
142
+ * Generate a JWT token for a user
143
+ *
144
+ * @param userId - User ID
145
+ * @param username - Username
146
+ * @param role - User role
147
+ * @param email - User email (optional)
148
+ * @returns JWT token
149
+ */ generateToken(userId, username, role, email) {
150
+ const payload = {
151
+ userId,
152
+ username,
153
+ role,
154
+ email
155
+ };
156
+ return jwt.sign(payload, this.jwtSecret, {
157
+ algorithm: 'HS256',
158
+ expiresIn: this.tokenExpirationSeconds
159
+ });
160
+ }
161
+ /**
162
+ * Validate JWT token and extract user context
163
+ *
164
+ * @param token - JWT token
165
+ * @returns User context if valid
166
+ * @throws StandardError if token is invalid or expired
167
+ */ validateToken(token) {
168
+ try {
169
+ if (!token || typeof token !== 'string') {
170
+ throw new StandardError(ErrorCode.VALIDATION_FAILED, 'Missing or invalid authentication token');
171
+ }
172
+ // Remove "Bearer " prefix if present
173
+ const cleanToken = token.startsWith('Bearer ') ? token.substring(7) : token;
174
+ const decoded = jwt.verify(cleanToken, this.jwtSecret, {
175
+ algorithms: [
176
+ 'HS256'
177
+ ]
178
+ });
179
+ // Validate required fields
180
+ if (!decoded.userId || !decoded.username || !decoded.role) {
181
+ throw new StandardError(ErrorCode.VALIDATION_FAILED, 'Invalid token structure: missing required fields');
182
+ }
183
+ // Validate role is one of the allowed roles
184
+ if (!Object.values(UserRole).includes(decoded.role)) {
185
+ throw new StandardError(ErrorCode.VALIDATION_FAILED, `Invalid role: ${decoded.role}`);
186
+ }
187
+ return {
188
+ userId: decoded.userId,
189
+ username: decoded.username,
190
+ role: decoded.role,
191
+ email: decoded.email,
192
+ issuedAt: decoded.iat || Math.floor(Date.now() / 1000),
193
+ expiresAt: decoded.exp || Math.floor(Date.now() / 1000) + this.tokenExpirationSeconds
194
+ };
195
+ } catch (error) {
196
+ if (error instanceof StandardError) {
197
+ throw error;
198
+ }
199
+ if (error instanceof jwt.TokenExpiredError) {
200
+ throw new StandardError(ErrorCode.VALIDATION_FAILED, 'Authentication token has expired', {
201
+ expiredAt: error.expiredAt?.toISOString()
202
+ }, error);
203
+ }
204
+ if (error instanceof jwt.JsonWebTokenError) {
205
+ throw new StandardError(ErrorCode.VALIDATION_FAILED, 'Invalid authentication token', {}, error);
206
+ }
207
+ throw new StandardError(ErrorCode.VALIDATION_FAILED, 'Token validation failed', {}, error);
208
+ }
209
+ }
210
+ /**
211
+ * Register a session (for session-based authentication fallback)
212
+ *
213
+ * @param sessionId - Session ID
214
+ * @param userContext - User context
215
+ */ registerSession(sessionId, userContext) {
216
+ this.sessions.set(sessionId, {
217
+ ...userContext,
218
+ sessionId
219
+ });
220
+ logger.debug('Session registered', {
221
+ sessionId,
222
+ userId: userContext.userId
223
+ });
224
+ }
225
+ /**
226
+ * Validate session
227
+ *
228
+ * @param sessionId - Session ID
229
+ * @returns User context if valid
230
+ * @throws StandardError if session is invalid or expired
231
+ */ validateSession(sessionId) {
232
+ const session = this.sessions.get(sessionId);
233
+ if (!session) {
234
+ throw new StandardError(ErrorCode.VALIDATION_FAILED, 'Invalid or expired session');
235
+ }
236
+ // Check if session has expired
237
+ if (session.expiresAt < Math.floor(Date.now() / 1000)) {
238
+ this.sessions.delete(sessionId);
239
+ throw new StandardError(ErrorCode.VALIDATION_FAILED, 'Session has expired');
240
+ }
241
+ return session;
242
+ }
243
+ /**
244
+ * Invalidate a session
245
+ *
246
+ * @param sessionId - Session ID
247
+ */ invalidateSession(sessionId) {
248
+ this.sessions.delete(sessionId);
249
+ logger.debug('Session invalidated', {
250
+ sessionId
251
+ });
252
+ }
253
+ /**
254
+ * Extract user context from Authorization header
255
+ *
256
+ * @param authHeader - Authorization header value
257
+ * @returns User context
258
+ * @throws StandardError if authorization header is invalid
259
+ */ extractUserContext(authHeader, sessionId) {
260
+ // Try JWT token first
261
+ if (authHeader) {
262
+ return this.validateToken(authHeader);
263
+ }
264
+ // Fallback to session
265
+ if (sessionId) {
266
+ return this.validateSession(sessionId);
267
+ }
268
+ throw new StandardError(ErrorCode.VALIDATION_FAILED, 'Missing authentication credentials (JWT token or session required)');
269
+ }
270
+ }
271
+ /**
272
+ * Role-Based Access Control (RBAC) enforcer
273
+ */ export class RBACEnforcer {
274
+ authMiddleware;
275
+ constructor(authMiddleware){
276
+ this.authMiddleware = authMiddleware;
277
+ }
278
+ /**
279
+ * Check if user has permission for an operation
280
+ *
281
+ * @param userContext - User context
282
+ * @param operation - Operation to perform
283
+ * @returns True if user has permission
284
+ */ hasPermission(userContext, operation) {
285
+ const allowedOperations = ROLE_PERMISSIONS[userContext.role];
286
+ return allowedOperations.includes(operation);
287
+ }
288
+ /**
289
+ * Enforce permission check - throws if user lacks permission
290
+ *
291
+ * @param userContext - User context
292
+ * @param operation - Operation to perform
293
+ * @param skillId - Skill ID (for audit context)
294
+ * @throws StandardError if user lacks permission
295
+ */ enforcePermission(userContext, operation, skillId) {
296
+ if (!this.hasPermission(userContext, operation)) {
297
+ logger.warn('Authorization denied', {
298
+ userId: userContext.userId,
299
+ role: userContext.role,
300
+ operation,
301
+ skillId
302
+ });
303
+ throw new StandardError(ErrorCode.VALIDATION_FAILED, `User does not have permission to perform operation: ${operation}`, {
304
+ userId: userContext.userId,
305
+ role: userContext.role,
306
+ operation,
307
+ skillId,
308
+ allowedOperations: ROLE_PERMISSIONS[userContext.role]
309
+ });
310
+ }
311
+ logger.debug('Authorization granted', {
312
+ userId: userContext.userId,
313
+ role: userContext.role,
314
+ operation,
315
+ skillId
316
+ });
317
+ }
318
+ /**
319
+ * Get description of allowed operations for a role
320
+ *
321
+ * @param role - User role
322
+ * @returns List of allowed operations
323
+ */ getAllowedOperations(role) {
324
+ return ROLE_PERMISSIONS[role];
325
+ }
326
+ }
327
+ /**
328
+ * Authorization decorator factory
329
+ * Wrap promotion operations to enforce RBAC
330
+ */ export function requirePermission(operation) {
331
+ return function(target, propertyKey, descriptor) {
332
+ const originalMethod = descriptor.value;
333
+ descriptor.value = async function(...args) {
334
+ // Extract userContext and rbac from 'this' context
335
+ if (!this.userContext) {
336
+ throw new StandardError(ErrorCode.VALIDATION_FAILED, 'User context not available - authentication required');
337
+ }
338
+ if (!this.rbacEnforcer) {
339
+ throw new StandardError(ErrorCode.VALIDATION_FAILED, 'RBAC enforcer not configured');
340
+ }
341
+ const skillId = args[0]?.skillId || args[1]?.skillId;
342
+ this.rbacEnforcer.enforcePermission(this.userContext, operation, skillId);
343
+ return originalMethod.apply(this, args);
344
+ };
345
+ return descriptor;
346
+ };
347
+ }
348
+ export default AuthMiddleware;
349
+
350
+ //# sourceMappingURL=auth-middleware.js.map
package/dist/middleware/auth-middleware.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../../src/middleware/auth-middleware.ts"],"sourcesContent":["/**\n * Authentication and Role-Based Access Control (RBAC) Middleware\n *\n * Implements JWT-based authentication and role-based access control for\n * sensitive operations like skill promotion, approval, and deployment.\n *\n * Features:\n * - JWT token validation and expiration checks\n * - Role-based access control with granular permissions\n * - Session-based authentication fallback\n * - Audit logging for authorization failures\n * - Per-operation permission validation\n *\n * Roles:\n * - admin: Full access to all promotion operations\n * - developer: Can initiate promotions, but not approve/deploy\n * - readonly: Can view audit trails, but no promotion access\n */\n\nimport { StandardError, ErrorCode } from '../lib/errors.js';\nimport { createLogger } from '../lib/logging.js';\nimport * as jwt from 'jsonwebtoken';\n\nconst logger = createLogger('auth-middleware');\n\n/**\n * User role enum\n */\nexport enum UserRole {\n ADMIN = 'admin',\n DEVELOPER = 'developer',\n READONLY = 'readonly',\n}\n\n/**\n * Promotion operation enum\n */\nexport enum PromotionOperation {\n INITIATE = 'initiate-promotion',\n VALIDATE = 'validate-skill',\n TEST = 'test-skill',\n APPROVE = 'approve-promotion',\n DEPLOY = 'deploy-to-production',\n ROLLBACK = 'rollback-deployment',\n}\n\n/**\n * User context from authentication\n */\nexport interface UserContext {\n userId: string;\n username: string;\n role: UserRole;\n email?: string;\n issuedAt: number;\n expiresAt: number;\n sessionId?: string;\n}\n\n/**\n * Permission mapping: role -> allowed operations\n */\nconst ROLE_PERMISSIONS: Record<UserRole, PromotionOperation[]> = {\n [UserRole.ADMIN]: [\n PromotionOperation.INITIATE,\n PromotionOperation.VALIDATE,\n PromotionOperation.TEST,\n PromotionOperation.APPROVE,\n PromotionOperation.DEPLOY,\n PromotionOperation.ROLLBACK,\n ],\n [UserRole.DEVELOPER]: [\n PromotionOperation.INITIATE,\n PromotionOperation.VALIDATE,\n PromotionOperation.TEST,\n ],\n [UserRole.READONLY]: [],\n};\n\n/**\n * Authentication middleware for validating user identity\n *\n * SECURITY CRITICAL: JWT_SECRET must be configured via environment variable\n * or explicitly provided. No default secrets are allowed in production.\n */\nexport class AuthMiddleware {\n private jwtSecret: string;\n private tokenExpirationSeconds: number;\n private sessions: Map<string, UserContext>;\n\n // List of insecure default secrets that must be rejected (CVSS 9.8 vulnerability)\n private static readonly INSECURE_SECRETS = [\n 'dev-secret-key',\n 'secret',\n 'password',\n 'test',\n 'default',\n '123456',\n 'changeme',\n ];\n\n /**\n * Create authentication middleware\n *\n * @param jwtSecret - JWT signing secret (REQUIRED). If not provided, will attempt\n * to load from JWT_SECRET environment variable. Throws error if\n * neither is available.\n * @param tokenExpirationSeconds - Token expiration time in seconds (default: 3600)\n * @throws StandardError with CONFIGURATION_ERROR if JWT_SECRET is not configured\n * @throws StandardError with VALIDATION_FAILED if JWT_SECRET is empty, too short\n * (<16 chars), or matches known insecure defaults\n *\n * @example\n * // Explicit secret (for testing)\n * const auth = new AuthMiddleware('strong-secret-key-at-least-16-chars');\n *\n * @example\n * // From environment variable (production)\n * process.env.JWT_SECRET = 'production-secret-at-least-16-chars';\n * const auth = new AuthMiddleware();\n */\n constructor(jwtSecret?: string, tokenExpirationSeconds: number = 3600) {\n // Attempt to resolve JWT secret from parameter or environment\n const resolvedSecret = jwtSecret ?? process.env.JWT_SECRET;\n\n // Fail fast if JWT_SECRET is not configured\n if (!resolvedSecret) {\n throw new StandardError(\n ErrorCode.CONFIGURATION_ERROR,\n 'JWT_SECRET is required but not configured. Please set the JWT_SECRET environment variable or provide it explicitly to the constructor.',\n {\n hint: 'Set JWT_SECRET in your .env file or environment: export JWT_SECRET=\"your-secret-key\"',\n securityNote: 'Never use default secrets in production. Generate a strong random secret.',\n }\n );\n }\n\n // Trim and validate secret is not empty or whitespace\n const trimmedSecret = resolvedSecret.trim();\n if (trimmedSecret.length === 0) {\n throw new StandardError(\n ErrorCode.VALIDATION_FAILED,\n 'JWT_SECRET cannot be empty or whitespace only.',\n {\n hint: 'Provide a strong secret key of at least 16 characters',\n }\n );\n }\n\n // Validate minimum length (prevent weak secrets - CVSS 7.5)\n if (trimmedSecret.length < 16) {\n throw new StandardError(\n ErrorCode.VALIDATION_FAILED,\n 'JWT_SECRET must be at least 16 characters long for security.',\n {\n providedLength: trimmedSecret.length,\n requiredLength: 16,\n hint: 'Use a strong random secret of at least 16 characters',\n }\n );\n }\n\n // Reject known insecure default secrets (CVSS 9.8 vulnerability)\n // Only reject if secret exactly matches known insecure defaults\n const normalizedSecret = trimmedSecret.toLowerCase().replace(/[_-]/g, '');\n const isInsecure = AuthMiddleware.INSECURE_SECRETS.some((insecure) => {\n const normalizedInsecure = insecure.toLowerCase().replace(/[_-]/g, '');\n // Only exact match - do not match if contains\n return normalizedSecret === normalizedInsecure;\n });\n\n if (isInsecure) {\n throw new StandardError(\n ErrorCode.VALIDATION_FAILED,\n 'Detected insecure default secret. Please use a strong, unique JWT_SECRET in production.',\n {\n securityRisk: 'CVSS 9.8 - Default secrets allow authentication bypass and token forgery',\n hint: 'Generate a secure random secret: openssl rand -base64 32',\n }\n );\n }\n\n this.jwtSecret = trimmedSecret;\n this.tokenExpirationSeconds = tokenExpirationSeconds;\n this.sessions = new Map();\n\n logger.debug('AuthMiddleware initialized with secure JWT secret');\n }\n\n /**\n * Generate a JWT token for a user\n *\n * @param userId - User ID\n * @param username - Username\n * @param role - User role\n * @param email - User email (optional)\n * @returns JWT token\n */\n generateToken(userId: string, username: string, role: UserRole, email?: string): string {\n const payload = {\n userId,\n username,\n role,\n email,\n };\n\n return jwt.sign(payload, this.jwtSecret, {\n algorithm: 'HS256',\n expiresIn: this.tokenExpirationSeconds,\n });\n }\n\n /**\n * Validate JWT token and extract user context\n *\n * @param token - JWT token\n * @returns User context if valid\n * @throws StandardError if token is invalid or expired\n */\n validateToken(token: string): UserContext {\n try {\n if (!token || typeof token !== 'string') {\n throw new StandardError(ErrorCode.VALIDATION_FAILED, 'Missing or invalid authentication token');\n }\n\n // Remove \"Bearer \" prefix if present\n const cleanToken = token.startsWith('Bearer ') ? token.substring(7) : token;\n\n const decoded = jwt.verify(cleanToken, this.jwtSecret, {\n algorithms: ['HS256'],\n }) as any;\n\n // Validate required fields\n if (!decoded.userId || !decoded.username || !decoded.role) {\n throw new StandardError(ErrorCode.VALIDATION_FAILED, 'Invalid token structure: missing required fields');\n }\n\n // Validate role is one of the allowed roles\n if (!Object.values(UserRole).includes(decoded.role)) {\n throw new StandardError(ErrorCode.VALIDATION_FAILED, `Invalid role: ${decoded.role}`);\n }\n\n return {\n userId: decoded.userId,\n username: decoded.username,\n role: decoded.role,\n email: decoded.email,\n issuedAt: decoded.iat || Math.floor(Date.now() / 1000),\n expiresAt: decoded.exp || Math.floor(Date.now() / 1000) + this.tokenExpirationSeconds,\n };\n } catch (error) {\n if (error instanceof StandardError) {\n throw error;\n }\n\n if (error instanceof jwt.TokenExpiredError) {\n throw new StandardError(\n ErrorCode.VALIDATION_FAILED,\n 'Authentication token has expired',\n { expiredAt: error.expiredAt?.toISOString() },\n error\n );\n }\n\n if (error instanceof jwt.JsonWebTokenError) {\n throw new StandardError(ErrorCode.VALIDATION_FAILED, 'Invalid authentication token', {}, error);\n }\n\n throw new StandardError(ErrorCode.VALIDATION_FAILED, 'Token validation failed', {}, error as Error);\n }\n }\n\n /**\n * Register a session (for session-based authentication fallback)\n *\n * @param sessionId - Session ID\n * @param userContext - User context\n */\n registerSession(sessionId: string, userContext: UserContext): void {\n this.sessions.set(sessionId, { ...userContext, sessionId });\n logger.debug('Session registered', { sessionId, userId: userContext.userId });\n }\n\n /**\n * Validate session\n *\n * @param sessionId - Session ID\n * @returns User context if valid\n * @throws StandardError if session is invalid or expired\n */\n validateSession(sessionId: string): UserContext {\n const session = this.sessions.get(sessionId);\n\n if (!session) {\n throw new StandardError(ErrorCode.VALIDATION_FAILED, 'Invalid or expired session');\n }\n\n // Check if session has expired\n if (session.expiresAt < Math.floor(Date.now() / 1000)) {\n this.sessions.delete(sessionId);\n throw new StandardError(ErrorCode.VALIDATION_FAILED, 'Session has expired');\n }\n\n return session;\n }\n\n /**\n * Invalidate a session\n *\n * @param sessionId - Session ID\n */\n invalidateSession(sessionId: string): void {\n this.sessions.delete(sessionId);\n logger.debug('Session invalidated', { sessionId });\n }\n\n /**\n * Extract user context from Authorization header\n *\n * @param authHeader - Authorization header value\n * @returns User context\n * @throws StandardError if authorization header is invalid\n */\n extractUserContext(authHeader?: string, sessionId?: string): UserContext {\n // Try JWT token first\n if (authHeader) {\n return this.validateToken(authHeader);\n }\n\n // Fallback to session\n if (sessionId) {\n return this.validateSession(sessionId);\n }\n\n throw new StandardError(\n ErrorCode.VALIDATION_FAILED,\n 'Missing authentication credentials (JWT token or session required)'\n );\n }\n}\n\n/**\n * Role-Based Access Control (RBAC) enforcer\n */\nexport class RBACEnforcer {\n private authMiddleware: AuthMiddleware;\n\n constructor(authMiddleware: AuthMiddleware) {\n this.authMiddleware = authMiddleware;\n }\n\n /**\n * Check if user has permission for an operation\n *\n * @param userContext - User context\n * @param operation - Operation to perform\n * @returns True if user has permission\n */\n hasPermission(userContext: UserContext, operation: PromotionOperation): boolean {\n const allowedOperations = ROLE_PERMISSIONS[userContext.role];\n return allowedOperations.includes(operation);\n }\n\n /**\n * Enforce permission check - throws if user lacks permission\n *\n * @param userContext - User context\n * @param operation - Operation to perform\n * @param skillId - Skill ID (for audit context)\n * @throws StandardError if user lacks permission\n */\n enforcePermission(userContext: UserContext, operation: PromotionOperation, skillId?: string): void {\n if (!this.hasPermission(userContext, operation)) {\n logger.warn('Authorization denied', {\n userId: userContext.userId,\n role: userContext.role,\n operation,\n skillId,\n });\n\n throw new StandardError(\n ErrorCode.VALIDATION_FAILED,\n `User does not have permission to perform operation: ${operation}`,\n {\n userId: userContext.userId,\n role: userContext.role,\n operation,\n skillId,\n allowedOperations: ROLE_PERMISSIONS[userContext.role],\n }\n );\n }\n\n logger.debug('Authorization granted', {\n userId: userContext.userId,\n role: userContext.role,\n operation,\n skillId,\n });\n }\n\n /**\n * Get description of allowed operations for a role\n *\n * @param role - User role\n * @returns List of allowed operations\n */\n getAllowedOperations(role: UserRole): PromotionOperation[] {\n return ROLE_PERMISSIONS[role];\n }\n}\n\n/**\n * Authorization decorator factory\n * Wrap promotion operations to enforce RBAC\n */\nexport function requirePermission(operation: PromotionOperation) {\n return function (target: any, propertyKey: string, descriptor: PropertyDescriptor) {\n const originalMethod = descriptor.value;\n\n descriptor.value = async function (this: any, ...args: any[]) {\n // Extract userContext and rbac from 'this' context\n if (!this.userContext) {\n throw new StandardError(\n ErrorCode.VALIDATION_FAILED,\n 'User context not available - authentication required'\n );\n }\n\n if (!this.rbacEnforcer) {\n throw new StandardError(\n ErrorCode.VALIDATION_FAILED,\n 'RBAC enforcer not configured'\n );\n }\n\n const skillId = args[0]?.skillId || args[1]?.skillId;\n this.rbacEnforcer.enforcePermission(this.userContext, operation, skillId);\n\n return originalMethod.apply(this, args);\n };\n\n return descriptor;\n };\n}\n\nexport default AuthMiddleware;\n"],"names":["StandardError","ErrorCode","createLogger","jwt","logger","UserRole","PromotionOperation","ROLE_PERMISSIONS","AuthMiddleware","jwtSecret","tokenExpirationSeconds","sessions","INSECURE_SECRETS","resolvedSecret","process","env","JWT_SECRET","CONFIGURATION_ERROR","hint","securityNote","trimmedSecret","trim","length","VALIDATION_FAILED","providedLength","requiredLength","normalizedSecret","toLowerCase","replace","isInsecure","some","insecure","normalizedInsecure","securityRisk","Map","debug","generateToken","userId","username","role","email","payload","sign","algorithm","expiresIn","validateToken","token","cleanToken","startsWith","substring","decoded","verify","algorithms","Object","values","includes","issuedAt","iat","Math","floor","Date","now","expiresAt","exp","error","TokenExpiredError","expiredAt","toISOString","JsonWebTokenError","registerSession","sessionId","userContext","set","validateSession","session","get","delete","invalidateSession","extractUserContext","authHeader","RBACEnforcer","authMiddleware","hasPermission","operation","allowedOperations","enforcePermission","skillId","warn","getAllowedOperations","requirePermission","target","propertyKey","descriptor","originalMethod","value","args","rbacEnforcer","apply"],"mappings":"AAAA;;;;;;;;;;;;;;;;;CAiBC,GAED,SAASA,aAAa,EAAEC,SAAS,QAAQ,mBAAmB;AAC5D,SAASC,YAAY,QAAQ,oBAAoB;AACjD,YAAYC,SAAS,eAAe;AAEpC,MAAMC,SAASF,aAAa;AAE5B;;CAEC,GACD,OAAO,IAAA,AAAKG,kCAAAA;;;;WAAAA;MAIX;AAED;;CAEC,GACD,OAAO,IAAA,AAAKC,4CAAAA;;;;;;;WAAAA;MAOX;AAeD;;CAEC,GACD,MAAMC,mBAA2D;IAC/D,SAAgB,EAAE;;;;;;;KAOjB;IACD,aAAoB,EAAE;;;;KAIrB;IACD,YAAmB,EAAE,EAAE;AACzB;AAEA;;;;;CAKC,GACD,OAAO,MAAMC;IACHC,UAAkB;IAClBC,uBAA+B;IAC/BC,SAAmC;IAE3C,kFAAkF;IAClF,OAAwBC,mBAAmB;QACzC;QACA;QACA;QACA;QACA;QACA;QACA;KACD,CAAC;IAEF;;;;;;;;;;;;;;;;;;;GAmBC,GACD,YAAYH,SAAkB,EAAEC,yBAAiC,IAAI,CAAE;QACrE,8DAA8D;QAC9D,MAAMG,iBAAiBJ,aAAaK,QAAQC,GAAG,CAACC,UAAU;QAE1D,4CAA4C;QAC5C,IAAI,CAACH,gBAAgB;YACnB,MAAM,IAAIb,cACRC,UAAUgB,mBAAmB,EAC7B,0IACA;gBACEC,MAAM;gBACNC,cAAc;YAChB;QAEJ;QAEA,sDAAsD;QACtD,MAAMC,gBAAgBP,eAAeQ,IAAI;QACzC,IAAID,cAAcE,MAAM,KAAK,GAAG;YAC9B,MAAM,IAAItB,cACRC,UAAUsB,iBAAiB,EAC3B,kDACA;gBACEL,MAAM;YACR;QAEJ;QAEA,4DAA4D;QAC5D,IAAIE,cAAcE,MAAM,GAAG,IAAI;YAC7B,MAAM,IAAItB,cACRC,UAAUsB,iBAAiB,EAC3B,gEACA;gBACEC,gBAAgBJ,cAAcE,MAAM;gBACpCG,gBAAgB;gBAChBP,MAAM;YACR;QAEJ;QAEA,iEAAiE;QACjE,gEAAgE;QAChE,MAAMQ,mBAAmBN,cAAcO,WAAW,GAAGC,OAAO,CAAC,SAAS;QACtE,MAAMC,aAAarB,eAAeI,gBAAgB,CAACkB,IAAI,CAAC,CAACC;YACvD,MAAMC,qBAAqBD,SAASJ,WAAW,GAAGC,OAAO,CAAC,SAAS;YACnE,8CAA8C;YAC9C,OAAOF,qBAAqBM;QAC9B;QAEA,IAAIH,YAAY;YACd,MAAM,IAAI7B,cACRC,UAAUsB,iBAAiB,EAC3B,2FACA;gBACEU,cAAc;gBACdf,MAAM;YACR;QAEJ;QAEA,IAAI,CAACT,SAAS,GAAGW;QACjB,IAAI,CAACV,sBAAsB,GAAGA;QAC9B,IAAI,CAACC,QAAQ,GAAG,IAAIuB;QAEpB9B,OAAO+B,KAAK,CAAC;IACf;IAEA;;;;;;;;GAQC,GACDC,cAAcC,MAAc,EAAEC,QAAgB,EAAEC,IAAc,EAAEC,KAAc,EAAU;QACtF,MAAMC,UAAU;YACdJ;YACAC;YACAC;YACAC;QACF;QAEA,OAAOrC,IAAIuC,IAAI,CAACD,SAAS,IAAI,CAAChC,SAAS,EAAE;YACvCkC,WAAW;YACXC,WAAW,IAAI,CAAClC,sBAAsB;QACxC;IACF;IAEA;;;;;;GAMC,GACDmC,cAAcC,KAAa,EAAe;QACxC,IAAI;YACF,IAAI,CAACA,SAAS,OAAOA,UAAU,UAAU;gBACvC,MAAM,IAAI9C,cAAcC,UAAUsB,iBAAiB,EAAE;YACvD;YAEA,qCAAqC;YACrC,MAAMwB,aAAaD,MAAME,UAAU,CAAC,aAAaF,MAAMG,SAAS,CAAC,KAAKH;YAEtE,MAAMI,UAAU/C,IAAIgD,MAAM,CAACJ,YAAY,IAAI,CAACtC,SAAS,EAAE;gBACrD2C,YAAY;oBAAC;iBAAQ;YACvB;YAEA,2BAA2B;YAC3B,IAAI,CAACF,QAAQb,MAAM,IAAI,CAACa,QAAQZ,QAAQ,IAAI,CAACY,QAAQX,IAAI,EAAE;gBACzD,MAAM,IAAIvC,cAAcC,UAAUsB,iBAAiB,EAAE;YACvD;YAEA,4CAA4C;YAC5C,IAAI,CAAC8B,OAAOC,MAAM,CAACjD,UAAUkD,QAAQ,CAACL,QAAQX,IAAI,GAAG;gBACnD,MAAM,IAAIvC,cAAcC,UAAUsB,iBAAiB,EAAE,CAAC,cAAc,EAAE2B,QAAQX,IAAI,EAAE;YACtF;YAEA,OAAO;gBACLF,QAAQa,QAAQb,MAAM;gBACtBC,UAAUY,QAAQZ,QAAQ;gBAC1BC,MAAMW,QAAQX,IAAI;gBAClBC,OAAOU,QAAQV,KAAK;gBACpBgB,UAAUN,QAAQO,GAAG,IAAIC,KAAKC,KAAK,CAACC,KAAKC,GAAG,KAAK;gBACjDC,WAAWZ,QAAQa,GAAG,IAAIL,KAAKC,KAAK,CAACC,KAAKC,GAAG,KAAK,QAAQ,IAAI,CAACnD,sBAAsB;YACvF;QACF,EAAE,OAAOsD,OAAO;YACd,IAAIA,iBAAiBhE,eAAe;gBAClC,MAAMgE;YACR;YAEA,IAAIA,iBAAiB7D,IAAI8D,iBAAiB,EAAE;gBAC1C,MAAM,IAAIjE,cACRC,UAAUsB,iBAAiB,EAC3B,oCACA;oBAAE2C,WAAWF,MAAME,SAAS,EAAEC;gBAAc,GAC5CH;YAEJ;YAEA,IAAIA,iBAAiB7D,IAAIiE,iBAAiB,EAAE;gBAC1C,MAAM,IAAIpE,cAAcC,UAAUsB,iBAAiB,EAAE,gCAAgC,CAAC,GAAGyC;YAC3F;YAEA,MAAM,IAAIhE,cAAcC,UAAUsB,iBAAiB,EAAE,2BAA2B,CAAC,GAAGyC;QACtF;IACF;IAEA;;;;;GAKC,GACDK,gBAAgBC,SAAiB,EAAEC,WAAwB,EAAQ;QACjE,IAAI,CAAC5D,QAAQ,CAAC6D,GAAG,CAACF,WAAW;YAAE,GAAGC,WAAW;YAAED;QAAU;QACzDlE,OAAO+B,KAAK,CAAC,sBAAsB;YAAEmC;YAAWjC,QAAQkC,YAAYlC,MAAM;QAAC;IAC7E;IAEA;;;;;;GAMC,GACDoC,gBAAgBH,SAAiB,EAAe;QAC9C,MAAMI,UAAU,IAAI,CAAC/D,QAAQ,CAACgE,GAAG,CAACL;QAElC,IAAI,CAACI,SAAS;YACZ,MAAM,IAAI1E,cAAcC,UAAUsB,iBAAiB,EAAE;QACvD;QAEA,+BAA+B;QAC/B,IAAImD,QAAQZ,SAAS,GAAGJ,KAAKC,KAAK,CAACC,KAAKC,GAAG,KAAK,OAAO;YACrD,IAAI,CAAClD,QAAQ,CAACiE,MAAM,CAACN;YACrB,MAAM,IAAItE,cAAcC,UAAUsB,iBAAiB,EAAE;QACvD;QAEA,OAAOmD;IACT;IAEA;;;;GAIC,GACDG,kBAAkBP,SAAiB,EAAQ;QACzC,IAAI,CAAC3D,QAAQ,CAACiE,MAAM,CAACN;QACrBlE,OAAO+B,KAAK,CAAC,uBAAuB;YAAEmC;QAAU;IAClD;IAEA;;;;;;GAMC,GACDQ,mBAAmBC,UAAmB,EAAET,SAAkB,EAAe;QACvE,sBAAsB;QACtB,IAAIS,YAAY;YACd,OAAO,IAAI,CAAClC,aAAa,CAACkC;QAC5B;QAEA,sBAAsB;QACtB,IAAIT,WAAW;YACb,OAAO,IAAI,CAACG,eAAe,CAACH;QAC9B;QAEA,MAAM,IAAItE,cACRC,UAAUsB,iBAAiB,EAC3B;IAEJ;AACF;AAEA;;CAEC,GACD,OAAO,MAAMyD;IACHC,eAA+B;IAEvC,YAAYA,cAA8B,CAAE;QAC1C,IAAI,CAACA,cAAc,GAAGA;IACxB;IAEA;;;;;;GAMC,GACDC,cAAcX,WAAwB,EAAEY,SAA6B,EAAW;QAC9E,MAAMC,oBAAoB7E,gBAAgB,CAACgE,YAAYhC,IAAI,CAAC;QAC5D,OAAO6C,kBAAkB7B,QAAQ,CAAC4B;IACpC;IAEA;;;;;;;GAOC,GACDE,kBAAkBd,WAAwB,EAAEY,SAA6B,EAAEG,OAAgB,EAAQ;QACjG,IAAI,CAAC,IAAI,CAACJ,aAAa,CAACX,aAAaY,YAAY;YAC/C/E,OAAOmF,IAAI,CAAC,wBAAwB;gBAClClD,QAAQkC,YAAYlC,MAAM;gBAC1BE,MAAMgC,YAAYhC,IAAI;gBACtB4C;gBACAG;YACF;YAEA,MAAM,IAAItF,cACRC,UAAUsB,iBAAiB,EAC3B,CAAC,oDAAoD,EAAE4D,WAAW,EAClE;gBACE9C,QAAQkC,YAAYlC,MAAM;gBAC1BE,MAAMgC,YAAYhC,IAAI;gBACtB4C;gBACAG;gBACAF,mBAAmB7E,gBAAgB,CAACgE,YAAYhC,IAAI,CAAC;YACvD;QAEJ;QAEAnC,OAAO+B,KAAK,CAAC,yBAAyB;YACpCE,QAAQkC,YAAYlC,MAAM;YAC1BE,MAAMgC,YAAYhC,IAAI;YACtB4C;YACAG;QACF;IACF;IAEA;;;;;GAKC,GACDE,qBAAqBjD,IAAc,EAAwB;QACzD,OAAOhC,gBAAgB,CAACgC,KAAK;IAC/B;AACF;AAEA;;;CAGC,GACD,OAAO,SAASkD,kBAAkBN,SAA6B;IAC7D,OAAO,SAAUO,MAAW,EAAEC,WAAmB,EAAEC,UAA8B;QAC/E,MAAMC,iBAAiBD,WAAWE,KAAK;QAEvCF,WAAWE,KAAK,GAAG,eAA2B,GAAGC,IAAW;YAC1D,mDAAmD;YACnD,IAAI,CAAC,IAAI,CAACxB,WAAW,EAAE;gBACrB,MAAM,IAAIvE,cACRC,UAAUsB,iBAAiB,EAC3B;YAEJ;YAEA,IAAI,CAAC,IAAI,CAACyE,YAAY,EAAE;gBACtB,MAAM,IAAIhG,cACRC,UAAUsB,iBAAiB,EAC3B;YAEJ;YAEA,MAAM+D,UAAUS,IAAI,CAAC,EAAE,EAAET,WAAWS,IAAI,CAAC,EAAE,EAAET;YAC7C,IAAI,CAACU,YAAY,CAACX,iBAAiB,CAAC,IAAI,CAACd,WAAW,EAAEY,WAAWG;YAEjE,OAAOO,eAAeI,KAAK,CAAC,IAAI,EAAEF;QACpC;QAEA,OAAOH;IACT;AACF;AAEA,eAAepF,eAAe"}